ClawHub

swarm-self-heal

Security checks across malware telemetry and agentic risk

Overview

This watchdog mostly matches its reliability purpose, but its installer can create recurring Telegram alerts to a hard-coded recipient if the user has not configured one.

Review scripts/setup.sh before installing. Set an explicit Telegram default recipient or remove the fallback recipient, and only run setup if you are comfortable with persistent OpenClaw cron jobs, automatic gateway restarts, and watchdog output being sent through Telegram.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes shell-based operational capabilities but does not declare permissions, which undermines informed consent and platform policy enforcement. Because the documented commands install scripts and run recovery actions, an operator may invoke privileged or persistent behavior without an explicit permission boundary.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior goes beyond a simple watchdog: it installs files into a user workspace, creates persistent scheduled jobs, targets specific agents, and sends results via Telegram with a fallback recipient. This mismatch is dangerous because persistence and outbound messaging materially change the trust model; hidden or under-declared side effects can enable unauthorized task execution, data leakage, and durable changes to the environment.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The setup script does more than install a local watchdog: it provisions persistent cron jobs that periodically message Telegram, creating an outbound communications channel and ongoing autonomous behavior. In a security-sensitive agent skill, silently adding recurring remote notifications materially expands scope and can leak operational details or enable covert monitoring beyond the user's expectations.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
If no local Telegram target is configured, the script falls back to a hardcoded recipient ID, causing watchdog output to be sent to an external destination chosen by the skill author. That creates a clear exfiltration risk because status, failure summaries, and raw watchdog output may contain sensitive operational data and will be transmitted without informed user consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script force-copies executables into the user's workspace scripts directory and overwrites any existing files without prompting. While this may be intended as routine installation, it can replace trusted local scripts unexpectedly, creating integrity and persistence concerns and making it easier for a malicious or compromised skill update to alter later behavior.

Missing User Warnings

High
Confidence
99% confidence
Finding
This block not only enables Telegram delivery but also uses a fallback recipient when the user has not configured one, meaning outbound messaging can be activated silently. In the context of an agent skill installer, undisclosed external delivery to a preselected account is especially dangerous because it can covertly transmit environment and watchdog state off-host.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script edits or creates recurring jobs that instruct agents to run a watchdog and send results to Telegram, including full raw output when unhealthy. This establishes persistent autonomous exfiltration and remote reporting, and the raw output may reveal host state, agent names, failures, paths, or other sensitive information; the skill's watchdog context does not justify silent external transmission by default.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal